diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-12-14 21:12:05 +0100 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-12-14 21:12:05 +0100 |
| commit | 8e2bfebca6699d43df0ab162e2a133e1da4da4d3 (patch) | |
| tree | 21b9a0c99ba25f459f7e4376fc686b3c78e77f9c | |
| parent | Add blurb on consequences of disabling SELinux support in portage (diff) | |
| download | hardened-docs-8e2bfebca6699d43df0ab162e2a133e1da4da4d3.tar.gz hardened-docs-8e2bfebca6699d43df0ab162e2a133e1da4da4d3.tar.bz2 hardened-docs-8e2bfebca6699d43df0ab162e2a133e1da4da4d3.zip | |
Add information on HOME=/, cfr bug #392699
| -rw-r--r-- | xml/selinux/modules/cron.xml | 44 |
1 files changed, 13 insertions, 31 deletions
diff --git a/xml/selinux/modules/cron.xml b/xml/selinux/modules/cron.xml index 4683c18..e909ff8 100644 --- a/xml/selinux/modules/cron.xml +++ b/xml/selinux/modules/cron.xml @@ -14,11 +14,11 @@ domains and interactions. </abstract> <!-- The content of this document is licensed under the CC-BY-SA license --> -<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> -<license/> +<!-- See http://creativecommons.org/licenses/by-sa/3.0 --> +<license version="3.0"/> -<version>2</version> -<date>2011-08-13</date> +<version>3</version> +<date>2011-12-14</date> <chapter> <title>Structure</title> @@ -231,6 +231,13 @@ This means that the cronjobs must be defined as either </ul> <p> +Second, make sure that your <path>/etc/crontab</path> uses <c>HOME=/</c>. +Setting this to another <c>HOME</c> directory might confuse some applications. +With SELinux enabled, this could cause those applications to try and read the +root users' home directory, which isn't allowed by policy. +</p> + +<p> Next, verify that the commands you want to run (and thus their target domain in which they will run) are allowed for the <e>system_cronjob_t</e> domain. </p> @@ -257,38 +264,13 @@ An example policy file to allow executing <c>dmesg</c>: policy_module(fixcron, 1.0) require { - type system_cronjob_t; + type dmesg_t; } -dmesg_domtrans(system_cronjob_t) +cron_system_entry(dmesg_t) </pre> <p> -In order to find out which specific calls are necessary, it can come in handy to -use the privileges assigned to the <e>sysadm_t</e> domain. Take a look at this -<uri -link="http://oss.tresys.com/projects/refpolicy/browser/policy/modules/roles/sysadm.te">sysadm.te</uri> -file. If you search for "dmesg" you will notice the following in the file: -</p> - -<pre caption="Snippet in sysadm.te related to dmesg"> -128 ') -129 -130 optional_policy(` -131 dmesg_domtrans(sysadm_t) -132 ') -133 -134 optional_policy(` -</pre> - -<p> -It is this call - <c>dmesg_domtrans</c> - that we are interested in (and which you -can notice in the sample policy mentioned above. It is possible that you notice -a <c>_run</c> or <c>_exec</c> instead. Try this one first, but most of the time -you'll need a <c>_domtrans</c> method. -</p> - -<p> For more information or help with managing your policies, do not hesitate to drop by on <c>#gentoo-hardened</c> in <c>irc.freenode.net</c>. </p> |